From 678f26b0e7335d498549cdbb85e68ca62f2654ab Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 10 May 2026 20:48:48 -0700 Subject: [PATCH] C0: fix homepage container /app/config write permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous Dockerfile chowned /app/config to 1000:1000 so the runtime user could seed missing skeleton configs (e.g. proxmox.yaml) and write /app/config/logs. The nix derivation didn't replicate that, so the new amd64 image crashed with EACCES on cold start (fixed-forward — caught during ringtail cutover, ArgoCD #348). Add fakeRootCommands to dockerTools to create /app and /app/config and chown them at build time. The deployment's ConfigMap subPath mounts leave the parent directory as image filesystem, so its ownership has to be set at build time, not at runtime. --- containers/homepage/default.nix | 11 +++++++++++ docs/changelog.d/+homepage-config-perms-fix.bugfix.md | 5 +++++ 2 files changed, 16 insertions(+) create mode 100644 docs/changelog.d/+homepage-config-perms-fix.bugfix.md diff --git a/containers/homepage/default.nix b/containers/homepage/default.nix index 7b4becb..6217847 100644 --- a/containers/homepage/default.nix +++ b/containers/homepage/default.nix @@ -100,6 +100,17 @@ pkgs.dockerTools.buildLayeredImage { chmod 1777 tmp ''; + # /app/config must be writable by the runtime user (1000): homepage seeds + # missing skeleton configs (proxmox.yaml, etc.) and writes /app/config/logs. + # The deployment mounts ConfigMap files at /app/config/.yaml via + # subPath, which leaves the parent dir as image filesystem — so its + # ownership has to be set at build time. + fakeRootCommands = '' + mkdir -p app/config + chown -R 1000:1000 app + ''; + enableFakechroot = true; + config = { Entrypoint = [ "${homepage}/bin/homepage" ]; Env = [ diff --git a/docs/changelog.d/+homepage-config-perms-fix.bugfix.md b/docs/changelog.d/+homepage-config-perms-fix.bugfix.md new file mode 100644 index 0000000..20e1135 --- /dev/null +++ b/docs/changelog.d/+homepage-config-perms-fix.bugfix.md @@ -0,0 +1,5 @@ +Fixed homepage container EACCES on cold start: the nix-built image now chowns +`/app/config` to uid 1000 at build time via `fakeRootCommands`, matching the +behavior of the old Dockerfile. Without this, homepage couldn't seed missing +skeleton configs (proxmox.yaml etc.) or create `/app/config/logs`, crashing on +its first uncached request. Caught during the ringtail cutover.